Insights
Practical data protection and AI governance guidance for UK organisations. Written from experience, not from research.
Latest insights
Do you actually need a data protection officer?
The founder wants a yes or no on whether the business needs a DPO. Two questions are being stitched together, and pulling them apart makes the real decision visible. Here's what UK GDPR actually requires in 2026, where the SRI commentary is wrong, and what a DPO has to be to count as one.
The AI skills gap: why governance expertise matters more than you think
The UK AI skills gap is real, but it's being misdiagnosed. It isn't a hiring problem. It's a problem of knowing what capability your business actually needs under the 2026 rules, and most of the market is selling you something else. Here's how to read the options properly before buying.
Recent insights
Guides
What happens when someone asks to see their data
Every organisation the ICO has reprimanded for subject access failures had a SAR policy. The failure is rarely legal; it's operational. Here's what's changed in 2026, what deliberately hasn't, and what a defensible response to a SAR actually looks like.
Guides
You're already using AI – here's what UK law requires
Most boards think their business uses a handful of AI tools. In reality, 71% of employees are using unapproved AI at work. UK GDPR already covers all of it. Here's what the law requires and what to do about it.
Guides
Your organisation had a data breach – here's what happens next
The ICO doesn't reward a good breach response. It punishes poor preparation. Here's what actually happens in the first 72 hours, what the enforcement record reveals, and the preparation that genuinely changes the outcome.
Guides
Building an AI governance framework: where to start
93% of UK organisations use AI. 7% govern it. Most of the governance you need is already required under UK GDPR. The first step isn't a framework document – it's finding out what AI you're actually using.
Guides
Sharing data with other organisations: what UK GDPR actually requires
Most organisations focus their data protection effort internally, but the largest unmanaged risk sits in how personal data moves to suppliers, processors, and partners. Only 9% of UK businesses say they transfer data internationally, yet almost all use cloud services that do exactly that.
Guides
Automated decisions about people: your legal obligations explained
The law on automated decisions about people changed in February 2026 – and the ICO has already found that most organisations' human oversight doesn't meet the new standard. Here's what the framework requires.
Analysis
Why your data protection policies aren't doing what you think they are
Most UK organisations have data protection policies on file. But when the ICO investigates, it doesn't ask whether policies exist – it asks whether anyone follows them. Here's how to tell if yours are actually working.
Analysis
AI bias isn't just an ethics problem – it's a legal one
AI bias creates legal exposure under three UK laws already in force – and the liability sits with the organisation using the tool, not the vendor. Here's what the obligations actually are and what to do about them.
Analysis
The real cost of getting data protection wrong
Many organisations price data protection risk as the risk of an ICO fine. The real cost, operational disruption, civil claims, lost contracts, reputational damage – consistently dwarfs the penalty, and almost every recent case involved basic failures that proactive governance would have caught.
Put your data protection in safe hands
Contact us today for a free, no-obligation conversation with a data protection practitioner about your organisation's needs. No sales pitch – just honest, practical advice.
Get in touch